MainWP
In our ongoing effort to provide the most secure WordPress Manager to our users, we are offering a reward for each security vulnerability reported in either the MainWP Dashboard plugin or the MainWP Child Plugin.
Both plugins are 100% open source
We are specifically looking for security violations that would enable access to the users "Network" by a third party when a connection between the MainWP Dashboard and MainWP Child Plugin has already been established. This includes but is not limited to Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), Broken Authentication, Remote Code Execution SQL injection, and Privilege Escalation.
We are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha.
You should install a copy of the plugins and WordPress on your own server.
To help you get started review the KB section MainWP first steps
If you believe you've found a security issue in our plugins, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
To show our appreciation of responsible security researchers, MainWP offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.
Bounties will be awarded to the first reporter of vulnerability only.
Amounts may vary depending upon the severity of the issue and quality of the report.
We are interested in any vulnerability in our code, however, issues that are only exploitable by having an Admin user logged on to their WordPress install are ineligible for a bounty
If a vulnerability requires the successful phishing or another type of social engineering of a MainWP Dashboard admin we are interested in the vulnerability but it will be marked as informative and not eligible for a bounty.
Bounties are awarded at the discretion of the bug bounty team
Important Notes on Scope
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to resolve the problem quickly.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
While researching, we'd like to ask you to refrain from:
Security vulnerabilities in the hosting service, WordPress core, or in any part of the MainWP website (the reward is for the MainWP Dashboard and Child plugins only! See Scope and Out of Scope sections. )
Security vulnerabilities in third-party websites, applications or Extensions that integrate with MainWP website or MainWP plugins
Denial of service
Spamming
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Social engineering (including phishing) of MainWP staff or contractors
Any physical attempts against any MainWP property or data centers
We are not interested in social engineering reports
We are not interested in version disclosure reports
We are not interested in HTTP sniffing or HTTP tampering exploits, you can assume all live MainWP Dashboard and Child installs will be HTTPS.
We will attempt to respond to reports within a week at the latest, typically within 48 hours. (Please, keep in mind that we are distributed across time zones, and this may cause a delay if we need to discuss internally.) Severe issues will be handled as soon as possible, while all other issues will be treated as part of our normal update process.
Thank you for helping keep MainWP and our users safe!
| Scope Type | Scope Name |
|---|---|
| web_application | https://github.com/mainwp/mainwp |
| web_application | https://github.com/mainwp/mainwp-child |
Firebounty have crawled on 2020-09-09 the program MainWP on the platform Hackerone.
FireBounty © 2015-2024
